scrape
Warn
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's preamble executes numerous local binaries (e.g., gstack-config, gstack-update-check) from the vendor's local directory to manage environment state and telemetry.
- [DYNAMIC_EXECUTION]: The skill uses eval and source on the output of local binaries, specifically gstack-slug and gstack-repo-mode, to dynamically configure environment variables at runtime.
- [DATA_EXPOSURE_AND_EXFILTRATION]: Telemetry data, including repository names, skill usage, and session durations, is collected and may be transmitted to a remote server via the gstack-telemetry-log binary. Additionally, session memory can be synchronized to a private GitHub repository.
- [REMOTE_CODE_EXECUTION]: The 'GBrain Sync' feature performs automated git fetch and git merge operations from a remote repository to synchronize session history.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to scrape untrusted content from web pages.
- Ingestion points: External web content is ingested via $B text and $B html primitives (SKILL.md).
- Boundary markers: Absent; the skill does not use delimiters to isolate untrusted web content.
- Capability inventory: The agent has access to Bash, Read, and AskUserQuestion tools (SKILL.md).
- Sanitization: Absent; no escaping or filtering of scraped content is performed before processing.
- [COMMAND_EXECUTION]: The skill is authorized to modify the project's CLAUDE.md file and execute git commit commands to automatically inject and save skill routing rules.
Audit Metadata